You are basically encrypting an encrypted file, then only decrypting it one step. This results in an encrypted file (your hmac.data), that still requires an additional level of decryption from you using CryptAuthCode()

I also struggled with CryptAuthCode when it became available. I was able to get the BaseElements plugin to work, but not the native function.

Two issues;

1. CryptAuthCode in 16.0.1 does not produce correct results.

2. CryptAuthCode works internally with binary data.

What does this mean? Firstly you need to be running at least 16.0.2. Secondly whereas the BaseElements plugin allows you to specify if C and K are Hex or Base64 you need to encode C and K appropriately for it to produce same results. If you just pass in a Hex string it will be treated as text ... not what you intended.